Matter No.: 12221-020001 Page 1 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 12221-020001 Page 2 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 12221-020001 Page 3 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Non-TCP 



TCP 



Synch packet is the client 
Synch_ack packet is the server 



Identify source that uses the 
lowest number port of the pair 

of hosts and assume 
that source is the server, 23e 




list 



Identify source that 
sent synch_ack, 23d 



FIG. 2A 



Matter No.: 12221-020001 Page 4 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 12221-020001 Page 5 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




s)soh eojnos 



Matter No.: 12221-020001 Page 6 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 12221-020001 Page 7 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



'C 



oo 



00 



CD 



CU 

CU 
& 

H 



O 

co 
CU 

a 

CO 
o 



CU 
> 
U 
CU 



cu 



-a 
-a 

o 
&* 
a 

CO 

cu 
# cu 

# > 
u 

<u 



3 « n 



^ os n 



a « ^ 



3 « ^ 



v£> IT) 



© 

00 

• • 

u 

b 



o 

CD 
CO 



a 
cd 

CO 
CO 



CO 

CD 



PQ Oh 



42 oo 



O 

U 



w ^ ^ 



£ *r> n 



5 « ^ 



£ on fj 



<j « 



s <^ n 



• • 

u 

H 

w 



o 

cu 

CO 



CO 



£ CO 

PQ fi O 



CO 

cu 



© © © 



© © © 



cu 
cu 

CU 



© 




Matter No.: 12221-020001 Page 8 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 1 2221 -020001 Page 9 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



:or 
aber, 




Aggregal 
luster men 


14n 















Aggregal 
iuster men 




O 





d 

i— i 



Matter No.: 12221-020001 Page 10 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 

i 




Matter No.: 12221-020001 Page 11 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



50 



Track movin 


g average, 5 1 




r 


Track variance c 


)f parameter, 52 






yes 




r 


Collect anomalies into 


events, 54 




r 


Send event reports, 55 



FIG. 9 



Matter No.: 12221-020001 Page 12 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



56 



Traverse connection table, 56a 



Identify and correlate anomalies 
by examining connection 
patterns, 56b 



Determine event, 56c 



Determine event severity, 56d 



.Report event, 56e 



FIG. 10 



Matter No.: 12221-020001 Page 13 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



i 



60 




Analyze byte and packet 
counts, 62 




hosts to determine 
possible attackers, 64 



FIG. 1 1 



Matter No.: 12221-020001 Page 14 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



83 




yes 



Use variance to 
determine 
if under attack, 63 c 



no 



Compare measured 

inbound 
Rate to historical, 63b 




Increase severity of 
reported event, 63 f 



FIG. 12 I 

Report event, 63g 



Matter No.: 12221-020001 Page 15 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



70 



FIG. 13 



Host pair added to time-slice 
connection table, 71 




1 


yes 

r 


Access time slice table, 73 




r 




1 


yes 

r 


Add to host pairs, 75 


i 


f 




Matter No.: 12221-020001 Page 16 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



80 



Access connection table, 82 



Examine host pairs in a scan, 83 



Reconstruct path used 
by worm, 84 



Examine ports used by 
worm, 85 



Determine exploited services, 86 



FIG. 14 



Matter No.: 12221-020001 Page 17 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 12221-020001 Page 18 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



90 




Examine host pairs from 
connection table, 92 




no 



Apply other indicia to 
determine if unauthorized 
access, 96 



Apply indicia that can 
decrease severity of event, 98 



Send event, 99 



FIG. 16 



Matter No.: 12221-020001 Page 19 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



100 



FIG. 17 




Page 20 of 42 



Matter No.: 12221-020001 
Applicant(s): Unknown at this time 
CONNECTION BASED DENIAL OF SERVICE DETECTION 



110 



Receive statistics on a Host 




no 



yes 



Determine 
if ratio of standard deviation rate to mean 
rate of server response packets 
is less thanR, 114 



yes 



Indicate Host as a failed Host, 116 



FIG. 18 



Matter No.: 12221-020001 Page 21 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 12221-020001 Page 22 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



\ 




Matter No.: 12221-020001 Page 23 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



200 




Form groups of nodes according 
to connection patterns, 200a 



FIG. 21 



Merge groups into larger groups 
according to connection habits, 
200b 



Matter No.: 12221-020001 Page 24 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



200a 



FIG. 22 





construct a k-neighborhood 
graph, 212 




f 




identify bi-connected 
Components (BCC) in 
the k-neighborhood graph, 214 


1 


r 




assign nodes contained 
in one BCC to a new group, 216 


y 


f 


vertices representing those 
hosts are removed, 220 




r 




replace vertices with one vertex 
representing the entire group, 222 




f 




Repeat until the groups 
are large enough, 224 



Matter No.: 12221-020001 Page 25 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



230 



generate a connectivity 
graph, 232 



build ^-neighborhood graph, 234 



remove group nodes from 
k- neighborhood graph, 236 



Generate bi-connected 
components, 238 



replace in the connection graph 
the nodes in e by a new group 
node containing 
those nodes, 240 



label a group G by a pair 
including a unique identifier, 242 



no 



do any ungrouped 
nodes remain in connection-graph 
or does k=0, 244 



yes 



exit 



FIG. 23 



J 



Matter No.: 12221-020001 Page 26 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




Matter No.: 12221-020001 Page 27 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



200b 




Determine group pairs 
that meet connection and 
similarity requirements, 254 



append a triple (Gl, G2 f s) 
to a list of edges, 256 



sort triples in list 
of edges based on s - values, 258 



Form a new group, 260 



assign to be the minimum 
number of connection 
pairs a host has, 262 



clear the list of edges, 264 




exit 



FIG. 25 



Matter No.: 12221-020001 Page 28 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



270 

NNSSSs * receive two sets of results 

produced by the grouping 
process, 272 



if 



Correlate two results, 274 



FIG. 26 



\ 



Matter No.: 12221-020001 Page 29 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



200b 




compare results of two executions 
of grouping algorithm, 282 



Update the ID set, 284 



correlate the ID' s 
of the two sets, 286 



assigns ID according to the 
highest degree of similarity,288 



FIG. 27 



Matter No.: 12221-020001 Page 30 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



200b 



remove differences between 
the two host sets, Ht and Ht-1 
290 




f 


compare the connection 
patterns of the hosts, 292 




f 



computes a set of 
nodes at time t-1 but 
removed at time t, 
and a set of nodes that 
only appear at time t, 294 



1 


r 


determine similarity, 296 




r 


determine if groups 
are the same, 298 



FIG. 28 



Matter No.: 12221-020001 Page 31 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



II. 

rn 



f 

"s 
t 

-■i 

u. 

a 

1 



4? 



Pi 



* I 



o 
o 
m 



s 

a. 
o 




_ IS ^ 

£ Out O O 

I iff! 
iflfl 

tf> «- O 
CM 04 <vj <N 

■x tr, to <* to 
5 <*i r"i f~> rO 
«g t/> »r> jrt 



£5 £*> £J 

<^ r>i rsi csl 

g -T -T t- W 

liiii 





LiU-L 



t 



o 



! i 



I 




I </> O O O O O 



| W oooo o 

! O O Krt tf> 

0"> CO 

aQ.%1 3 
O Q ^ v o 

h d y 5 1- 



1 o o o o o o 



1 ft. CO C 



m so (N tn w p 
<o o o 




o 



oo 
o 



Matter No.: 12221-020001 Page 32 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 




o 

CO 



Matter No.: 12221-020001 Page 33 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



Provide list of events, 319a 



User selects event, 319b 



User snoozes event, 319c 



FIG. 31 



Matter No.: 12221-020001 Page 34 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



ft 



ft 



«i. : < 



CL 



0 


8 v» 
g- * 


! 


* 1 
a 




a 
o 


k« 


en 


0 




z 


EI « 


I 




si 
• 


■ 5 



ri Q> Cfc ctk c» 
2 o o a © 
< _j — > — i _i 




||P 

cs N oj 

2 T "T TT 

g w> *■> 10 to 



2^ >» >* 






Matter No.: 12221-020001 Page 35 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



3 

m 



m 



] ■ - 



! 



K3 



.co.! 
4 



co 



1 tt 

a. 

o 
5 

♦* 

2 



SI' 

^ 9 < 

si; 

< -3 . 
SI! 

it- 



I r 



3 £ 











to 
OS 






o* 


attSi 


v> 




J* 

tf> 


CO 


o 

rf 




De 






vn 






f 










oy 




CO 





S 5 



o » 



; x 

51 



XX X X X X 



XX XX X X 



X X 



X XX X X X x 



X X 



X XX X X 



8 



8 



X X 



co 
co 



CO 



"5 



1*1 

l ilaiii 
■ — i — 

i 

i 

\ 



*» <r> * 

ills- 

i Q O O I 



CO 
CO 



I O ( 



X X 



X X XX x 



X X XXX 



X X XX X 



xxxxx 



XX XX X 



c> r» ro 
oi e>i ~ 



3 



CO 
CO 



^ © o o Ofsf 



;« < 

,2 a 



o ^ © opt 



o O <*> CO 

2 S CD _ 



fli: 

8|J. : . ? 



an 



• CO 
CO 



m o 
i : co 
m co 



CO 

a 



Matter No.: 12221-020001 Page 36 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



ill 

o ®* **-' 

* © 2 

< 2 3 

o < < 

o o o 

0 § 3 
— «o <a 

1 i i 

0 <1 «J 

*o -o -o 

1 § i 



to 



o 



0> 
Q 

0> 
CD 
>> 

o 
a. 

UJ 

o 

1 

0. 



x x x x x xx x 



f>X 

-Hi 



xxxxxxxxxxxx 



XXX 




X x 



3 



V 



pxx 



















1 




I 










' a:- 


Host 




! 


1 




£ 







'illtl 

5 I 



nit 



ro 



to 



o 



J CO 

b 

l-H 



Matter No.: 12221-020001 Page 37 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 

i 

) 




Matter No.: 12221-020001 Page 38 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



Tj 



I 



l.fi 



i 



1 

- 

I id 



fl 
ll": 



?! 



1 



•>.\-J',r>:;:.' •>;::- 



o 

I 



o 

Z 

a 

Si 

Si 



1 




00 

m 



.5 




oo 

00 

m 



CM CM CM CM CM CM CM CM tM <M CM CM CM CM CM CM { \ 
CMCMCMCMCMCMCMCMCMCMCMCMCMCMCMCM 



i 

CD 

i 




1; 



Matter No.: 12221-020001 Page 39 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



Matter No.: 12221-020001 Page 40 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



Matter No.: 12221-020001 Page 41 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



m 



71 



1 

11: 



m 

a: 

•>■?' 

' b 
M 



Ill 

». ••* 

-Co 



C5 

I 



2 

a- 

h 

X 

if 

Si 

® 1 



.5 
I 
S 



SI 1 

i i l I 




o 



Matter No.: 12221-020001 Page 42 of 42 

Applicant(s): Unknown at this time 

CONNECTION BASED DENIAL OF SERVICE DETECTION 



4 



mi 

ill} 



W : 

I 



Si 



Hi 

j 

111 



BP 5" 



5 ^ 



I 

Q 

5 



SI 



3 



ill 



ill I 



53 



o 



